Windows native: `hermes doctor` reports agent-browser npm vulnerabilities but package has no lockfile for audit

[tsktech]

Summary

On a Windows native Hermes install, hermes doctor reports that the Browser tools / agent-browser package has npm vulnerabilities, but running npm audit manually is not actionable because the installed agent-browser package does not include a package-lock.json.

This makes it unclear whether the user should run hermes doctor --fix, ignore the warning, or manually modify the Hermes-managed install under %LOCALAPPDATA%.

Environment

• OS: Windows 11
• Node.js: v24.15.0
• npm: 11.13.0
• Hermes install type: Windows native
• Hermes install path observed: C:\Users\Srika\AppData\Local\hermes\hermes-agent
• Package path observed: C:\Users\Srika\AppData\Local\hermes\hermes-agent\node_modules\agent-browser
• agent-browser version: 0.26.0

Output from hermes doctor

Found 2 issue(s) to address:

1. Browser tools (agent-browser) has 6 npm vulnerabilities
2. Run 'hermes setup' to configure missing API keys for full tool access

Tip: run 'hermes doctor --fix' to auto-fix what's possible.

What was tried

Running npm audit from the user home directory fails because there is no lockfile there, which is expected:

npm error code ENOLOCK
npm error audit This command requires an existing lockfile.
npm error audit Try creating one first with: npm i --package-lock-only
npm error audit Original error: loadVirtual requires existing shrinkwrap file

The relevant package folder was then located:

Get-ChildItem "$env:LOCALAPPDATA\hermes" -Recurse -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "agent-browser|browser" } |
Select-Object FullName

Relevant result:

C:\Users\Srika\AppData\Local\hermes\hermes-agent\node_modules\agent-browser

Inspecting that folder showed it contains package.json but no package-lock.json:

Name         Length LastWriteTime
----         ------ -------------
bin                 01-06-2026 21:46:22
scripts             01-06-2026 21:46:22
skill-data          01-06-2026 21:46:22
skills              01-06-2026 21:46:22
LICENSE      10931  01-06-2026 21:46:22
package.json 1980   01-06-2026 21:46:22
README.md    57913  01-06-2026 21:46:22

Package version check:

Get-Content "$env:LOCALAPPDATA\hermes\hermes-agent\node_modules\agent-browser\package.json" |
Select-String '"name"|"version"'

Output:

  "name": "agent-browser",
  "version": "0.26.0",
    "version": "npm run version:sync && git add cli/Cargo.toml",

Question / request

Could hermes doctor provide a clearer fix path for this warning on Windows native installs?

For example:

• If hermes doctor --fix is expected to resolve it, document or print that explicitly.
• If users should not manually run npm audit fix inside %LOCALAPPDATA%\hermes\hermes-agent\node_modules\agent-browser, say that clearly.
• If the installed package intentionally has no lockfile, avoid suggesting an npm-audit workflow that requires one.
• Ideally, provide a doctor remediation message specific to the managed Windows native install.

Why this matters

A user seeing this warning may try to manually run npm audit or npm audit fix, but without a lockfile this fails or may encourage modification of Hermes-managed install files. A clearer doctor message would avoid confusion and reduce the chance of users breaking their local Hermes install.